Prevent multiple votes on Node/Express + Pusher JS Voting App

Question

I'm creating a simple voting app where by the client gets to choose from a HTML select dropdown and select an option, and then submitted through a form it fires a POST request to save the selection in the database. This is then updated on the front-end.

There is currently no authentication implemented, but I may pursue this if needed.

My main concerns are someone voting a ridiculous amount of times and also the fairness of been able to only vote once.

For now I've just added local storage when the client votes so when the app re-renders the select is disabled, obviously this isn't a solid solution as they can clear this/use another device.

I've never built a voting app before so I don't have experience in this situation, I was curious what the best solution was for something like this. It's not a serious app, but I would like to resolve this in a better way than using local storage if possible.

POST request

router.post('/allTime', async (req, res) => {
    try {
        const guest = await req.body.guest;
        
        if(guest) {
            const guestFormatted = guest.toLowerCase();
            const guestPoll = await new GuestPoll({
                guest: guestFormatted,
                points: 1
            }).save();

            pusher.trigger("poll", "poll-vote", {
                guest: guestPoll.guest,
                points: parseInt(guestPoll.points)
            });
        }
        
        return res.json({
            message: 'Vote submitted'
        })
    } catch(err) {
        return res.json({
            err
        });
    }
});

Your only real options for limiting voting are to limit by ip address and/or by an authenticated account. — Pytth, Jan 04 '21 at 18:03
how would it work with authenticated account? setting a cookie as no better than local storage right? — Joe Consterdine, Jan 04 '21 at 23:37

knaxel baby · Answer 1 · 2023-05-22T15:11:10.687

Your only real options for limiting voting are still to limit by IP/MAC address and/or by an authenticated account.

Anyone serious about only having "one vote per person" functionality, will have user authentication.

Please, don't edit my answer and link to something that will inevitably lead security and exploit issues... MAC and IP addresses can be spoofed easily and they are not a safe or reliable way to retrieve a truly Unique Device ID.

But, if every security/exploit issue is irrelevant to your case, be my guest and Follow this that Tyler2 Linked

If you wanna learn your friends a lesson about user authenticity device ID reliability, just Google 'spoofing mac address'

Prevent multiple votes on Node/Express + Pusher JS Voting App

1 Answers1